Flipping the Economics of Attacks - polyscope.ch · employed security analysts. Our analysis...

Sponsored by Palo Alto Networks Independently conducted by Ponemon Institute LLC Publication Date: January 2016

Ponemon Institute© Research Report

Flipping the Economics of Attacks


Flipping the Economics of Attacks Ponemon Institute, January 2016

Part 1. Introduction How much does it cost technically proficient adversaries to conduct successful attacks, and how much do they earn? In Flipping the Economics of Attacks, we look at the relationships between the time spent and compensation of today’s adversaries and how organizations can thwart attacks. As revealed in this research, while some attackers may be motivated by non-pecuniary reasons, such as those that are geopolitical or reputational, an average of 69 percent of respondents say they are in it for the money. In this study, we surveyed 304 threat experts in the United States, United Kingdom and Germany. We built this panel of experts based on their participation in Ponemon Institute activities and IT security conferences. They were assured their identity would remain anonymous. Twenty-one percent of respondents say they are very involved, and 79 percent of respondents are involved in the threat community. They are all familiar with present-day hacking methods. Following are the most salient findings of this research: Attackers are opportunistic. Adversaries go after the easiest targets first. As shown in Figure 1, they won’t waste time on an attack that will not quickly result in a treasure trove of high-value information, according to 72 percent of respondents. Further, attackers will quit when the targeted company has a strong defense, according to 69 percent of respondents. Cost and time to plan and execute attacks is decreasing. According to 53 percent of respondents, the total cost of a successful attack has decreased, driving even more attacks across the industry. Similarly, 53 percent of respondents say the time to plan and execute an attack has decreased. Of these 53 percent of respondents who say it takes less time, 67 percent agree the number of known exploits and vulnerabilities has increased, 52 percent agree attacker skills have improved, and 46 percent agree hacking tools have improved. Increased usage of low-cost and effective toolkits drives attacks. Technically proficient attackers are spending an average of $1,367 for specialized toolkits to execute attacks1. In the past two years, 63 percent of respondents say their use of hacker tools has increased and 64 percent of respondents say these tools are highly effective. Time to deter the majority of attacks is less than two days. The longer an organization can keep the attacker from executing a successful attack, the stronger its ability to safeguard its sensitive and confidential information. The inflection point for deterring the majority of attacks is

1 We assume that this average cost for specialized tools applies to all attacks launched over one year.

Figure 1. Attackers look for easy targets Strongly agree and agree responses combined


less than two days (40 hours), resulting in more than 60 percent of all attackers moving on to another target. Adversaries make less than IT security professionals. On average, attackers earn $28,744 per year in annual compensation, which is about one-quarter of a cybersecurity professional’s average yearly wage. Organizations with strong defenses take adversaries more than double the time to plan and execute attacks. The average number of hours a technically proficient attacker takes to plan and execute an attack against an organization with a “typical” IT security infrastructure is less than three days (70 hours). However, when the company has an “excellent” IT infrastructure, the time doubles to an average of slightly more than six days (147 hours). Threat intelligence sharing is considered the most effective in preventing attacks. According to respondents, an average of 39 percent of all hacks can be thwarted because the targeted organization engaged in the sharing of threat intelligence with its peers. Investments in security effectiveness can reduce successful attacks significantly. As an organization strengthens its security effectiveness, the ability to deter attacks increases, as shown in this report. The following are recommendations to harden organizations against malicious actors: ! Create a holistic approach to cybersecurity, which includes focusing on the three important

components of a security program: people, process and technology. ! Implement training and awareness programs that educate employees on how to identify and

protect their organization from such attacks as phishing. ! Build a strong security operations team with clear policies in place to respond effectively to

security incidents. ! Leverage shared threat intelligence in order to identify and prevent attacks seen by your

peers. ! Invest in next-generation technology, such as threat intelligence sharing and integrated

security platforms that can prevent attacks, and other advanced security technologies.


Part 2. Key findings In this section, we provide an analysis of the findings. The complete audited findings are presented in the appendix of this report. We have organized the report according to the following topics: ! The economic motivation of attackers ! Why successful attacks are increasing ! Inflection point: When malicious actors call it quits ! Hardening the organization against attackers The economic motivation of attackers What motivates an attacker? As shown in Figure 2, 69 percent of respondents in this study are motivated by money. While many attackers may be hoping for a big “payout,” reality can be quite different. The findings reveal that attackers, on average, receive $28,744 for an average of 705 hours spent on attacks annually. Of course, some attackers do “earn” more than the average. However, this compensation is 38.8 percent less than the average hourly rate of IT security practitioners employed in the private and public sector. Figure 2. On average, what percent of attackers are motivated purely by economics (e.g., money) versus reputation or other non-pecuniary incentives? Extrapolated average = 69 percent

1% 1% 4%

15%

26%

54%

0%

10%

20%

30%

40%

50%

60%

< 5% 5 to 10% 11 to 25% 26 to 50% 51 to 75% 76 to 100%


Calculating the economics of hacking. To calculate the average adversary’s compensation, we extrapolate the hours spent on attacks against organizations with a “typical” and “excellent” IT security infrastructure. As shown in Table 1, the time spent on an attack against an organization with an excellent IT security infrastructure is more than twice the time it takes when the organization has less than a strong security posture (e.g., 70 hours versus 147 hours per attack). The extrapolated pivot point where attackers would quit an attack is 209 hours on average. From survey responses, we calculate an average value of $14,711 for each successful attack. We also calculate the average number of successful attacks per year at 8.26. The unadjusted economic gain per year equals $14,711 X 8.26. This value is adjusted by 42 percent (i.e., percent of successful attacks) and 59 percent (i.e., percent of successful attacks yielding a non-zero return). Finally, we reduce this adjusted value by the extrapolated cost of specialized tools of $1,367 used to improve the attacker’s performance. The following is the basic equation, which yields an adjusted annual compensation of $28,744:

$28,744 = {[$14,711 X 8.26 X 42% X 59%] - $1,367}

Table 1. Economics of hacking Calculus Overall* Hours spent on attack against typical IT security infrastructure 70 Hours spent on attack against excellent IT security infrastructure 147 Hours before quitting 209 Value per successful attack $14,711 Number of attacks per year 8.26 Percent of successful attacks 42.0% Percent of successful attacks yielding non-zero return 59.0% Cost of specialized tools $1,367 Annual compensation $28,744 Total hours spent per year 705 Labor rate per hour $40.75 Rate per hour (benchmarks) $60.36 Labor rate differential $19.61 Percentage differential 38.8%

*Analysis conducted on the combined US, UK and German samples To complete this analysis, we extrapolate the total hours that attackers devote to hacking activities each year. Drawing from prior research, we assume 80 percent of all attacks are lodged against organizations with a typical or ordinary security infrastructure and 20 percent with an excellent security infrastructure.2 This yields a weighted average of 705 total hours per year. To derive an hourly attacker labor rate of $40.75, we simply divide adjusted annual compensation by total hours worked. Does crime pay? For comparison purposes, we show an approximate labor rate derived from salary statistics compiled in recent research, where the fully loaded hourly labor rate for an experienced IT security professional is $60.36, which is 38.8 percent higher than the hourly rate compiled for attackers.3 It is important to note attackers have more leisure time than gainfully employed security analysts. Our analysis assumes an average of only 705 hours worked per year for attackers versus 1,918 hours per annum by experienced IT security analysts.

2See: The Cyber Security Leap: From Laggard to Leader, Accenture & Ponemon Institute, April 2015 3See: Annual IT Security Benchmark Study. Ponemon Institute, July 2015.


Why successful attacks are increasing Attacker technology is improving and makes more attacks possible. As shown in Figure 3, attackers are benefiting from automated hacking tools, which make it easier for attackers to execute a successful attack, according to 68 percent of respondents. Fifty-six percent of respondents say the time and resources incurred by attackers to execute a successful attack have decreased over time. Expertise is not enough to defeat a motivated attacker. Only 47 percent of respondents say that common sense controls can stop a successful hack. To defeat attackers, organizations need to arm themselves with sophisticated technologies. Figure 3. Why attacks are increasing Strongly agree and agree responses combined

47%

56%

68%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Most hackers can be defeated with common-sense controls

The time and resources incurred by hackers to execute successful attacks have decreased over

time

Automated hacking tools makes it easier for hackers to execute successful attacks


The cost of conducting successful attacks drops with the increasing use of hacker toolkits. Technically proficient adversaries are spending an average of $1,367 for specialized toolkits to execute attacks4. In the past two years, 63 percent of respondents say their use of hacker tools has increased by an average of 18 percent. Moreover, as shown in Figure 4, 64 percent of respondents (26 + 38) say these tools are highly effective. Figure 4. How effective are hacker tools for exploiting targeted organizations? 7+ on a scale of 1=not effective to 10=highly effective

According to Figure 5, 84 percent of respondents either say there has been a significant improvement in hacker tools (31 percent) or there has been some improvement (53 percent). Only 16 percent of respondents say there has not been any improvement. Figure 5. Hacker tools have improved and make it easier to execute a targeted attack Consolidated view

4 Ibid Footnote 1

2%

12%

23% 26%

38%

0%

5%

10%

15%

20%

25%

30%

35%

40%

1 or 2 3 or 4 5 or 6 7 or 8 9 or 10

31%

53%

16%

0%

10%

20%

30%

40%

50%

60%

Yes, significant improvement Yes, some improvement No improvement


It costs less to hack. Not only are the hacker tools improving, the total cost of a successful attack has decreased, according to 53 percent of respondents, as shown in Figure 6. The reduction in cost is due to less time to execute a successful attack and the improvement in hacker tools. Contributing to the lower cost of a successful attack is the decrease in the cost of computing power. Cyber criminals can launch more sophisticated attacks for less investment. Today, bad actors without the capability to develop their own tools can use existing malware and exploits, which are often free or inexpensive to obtain online. Similarly, advanced attackers, criminal organizations and nation-state attackers are able to use these widely available tools to launch successful intrusions and obscure their identities. These sophisticated adversaries are also developing and selectively using unique tools that could cause even greater harm. Figure 6. How has the total cost of a successful attack changed? Consolidated view

13%

53%

35%

0%

10%

20%

30%

40%

50%

60%

Increased Decreased Stayed the same


Attackers are becoming more proficient. Eighty-five percent of respondents say the time to plan and execute an attack has either decreased (53 percent) or stayed the same (32 percent of respondents). As shown in Figure 7, the primary reasons a decrease has occurred can be attributed to the increased number of known exploits and vulnerabilities (67 percent of respondents), improved skills as a hacker (52 percent of respondents), and improved hacking tools (46 percent of respondents). Figure 7. Why the time to plan and execute an attack has decreased More than one response permitted

4%

20%

22%

46%

52%

67%

0% 10% 20% 30% 40% 50% 60% 70%

Other

Improved intelligence about targeted organizations

Improved collaboration within the hacking community

Improved hacking tools

Improved skills as a hacker

Increased number of known exploits and vulnerabilities


Inflection point: When malicious actors call it quits Time to deter the majority of attacks is less than two days. We asked respondents how much time it takes to plan and execute web-based and malicious code attacks and if the time has increased, decreased or stayed the same. The study also examines how many of these attacks are successful and when does an attacker call it quits. As shown in Figure 8, the longer an organization can keep the attacker from executing a successful attack, the stronger its ability to safeguard its sensitive and confidential information. While no organization has unlimited resources to spend hardening itself against malicious actors, understanding the amount of time until attackers’ efforts are no longer potentially profitable will help the leadership prioritize investments in the appropriate technologies. Time is the enemy of an attacker. The more time that passes before a successful attack can execute, the more likely an organization can stop it. For example, a delay of five hours in conducting a successful attack deters 13 percent of attacks, a delay of 10 hours can reduce 24 percent of attacks, and 20 hours deters 36 percent of attacks. On average, a technically proficient hacker will quit an attack and move to another target after spending less than nine days without success. Figure 8. When will a hacker call it quits? Consolidated view

13%

24%

36%

60%

0% 10% 20% 30% 40% 50% 60% 70%

Attacks deterred by an increase of 5 hours to conduct an attack





Malicious actors need to double the time to plan and execute successful attacks when the organization they target has an excellent IT infrastructure. In this study, we define an excellent IT security infrastructure as one that continually assesses threats, invests in leading-edge technologies, and has adequate expertise supported by good governance practices. Whereas, the typical IT security infrastructure is less mature and may not deploy the technologies necessary to stop or curtail attackers. The following are other indications of an excellent IT security infrastructure:

! An advanced security system designed with definitive knowledge of what and who is using the network. In other words, no guessing.

! The capabilities of the advanced security system are integrated as much as possible into a platform, so any suspicious action results in an automatic reprogramming of the other system’s capabilities.

! The platform also must be part of a larger, global ecosystem that enables a constant and near real time sharing of attack information that can be used immediately to apply protections to prevent other organizations in the ecosystem from falling victim to the same or similar attacks.

! Where data resides or the network’s deployment model should not affect security posture. For example, advanced integrated security and automated outcomes must be the same whether the network is on premise, in the cloud, or has data stored off the network in third-party applications. Any inconsistency in the organization’s security is a vulnerability point.

! Productivity should not be sacrificed because of security. Rather, security should be designed to support migration to the cloud, virtualization, and other technologies that are important to the goals and objectives of the business.


Hardening the organization against attackers Threat intelligence sharing is considered most-effective in preventing attacks. To make it more difficult to execute a successful attack, the solution is to exchange threat intelligence with peers and to invest in the appropriate technologies to strengthen an organization’s security posture. As shown in Figure 10, an average of 39 percent of all hacks can be thwarted because the targeted organization engaged in the sharing of threat intelligence with its peers. Additionally, out of all technologies available, threat intelligence sharing was cited by 55 percent of respondents as the most likely to prevent or curtail successful attacks. Figure 10. What percent of all hacks can be thwarted because of threat intelligence sharing with peers? Extrapolated average = 39 percent

4%

8%

29% 29%

14% 15%

0%

5%

10%

15%

20%

25%

30%

35%

Less than 5% 5 to 10% 11 to 25% 26 to 50% 51 to 75% 76 to 100%


Conclusion and recommendations It is clear the attack landscape has changed. Each day we see more successful data breaches against organizations around the globe. This study has exposed as important element of this criminal underground, which can often be missed when headlines about the next big data breach dominate the front page: the economic motivation of cybercriminals and how we can use this information to turn the tables on them. The findings clearly show the profit-based motivation of attackers, which means the same economic forces are at work for them as for major businesses. Adversaries are in it for the quick and easy payday, with the majority of them making far less than comparable IT security professionals. We expect the cost of attacks to continue to decrease as attackers become more skilled and automated toolkits are improved and in widespread use, as well as other factors examined in this survey. There is another side to the cost equation though, which the security community can use to keep its organizations safe. We can change the economics of attacks by putting up a better defense, which takes attackers much longer to overcome. This survey has shown how attackers will divert their attention to other targets after an increase in the time it takes to breach an organization of less than two days. Like many businesses, adversaries are constantly weighing the potential profit versus cost, which includes the time it takes them to be successful. As a security community, we must take into account the motivation and economic environment surround attacks, not just technical solutions to the problem. In order to increase the cost to the attacker, we recommend organizations take the following action to enhance their security:

! Create a holistic approach to cyber security, which includes focusing on the three important components of a security program: people, process and technology.

! Implement training and awareness programs that educate employees on how to identify and protect their organization from such attacks as phishing.

! Build a strong security operations team with clear policies in place to respond effectively to security incidents.

! Invest in next-generation technology, such as threat intelligence sharing and integrated security platforms that can prevent attacks, and other advanced security technologies.


Part 3. Methods A sampling frame of 10,332 individuals with self-proclaimed hacking skills located in the United States, United Kingdom and Germany were selected as participants to this survey. Table 1 shows 379 total returns. Post screening and reliability checks required the removal of 75 surveys. Our final sample consisted of 304 surveys or a 2.9 percent response rate. Table 2. Sample response US UK DE Combined Sampling frame 5,055 2,632 2,645 10,332 Total returns 197 89 93 379 Post-screened and rejected surveys 39 19 17 75 Final sample 158 70 76 304 Response rate 3.1% 2.7% 2.9% 2.9%

Pie Chart 1 reports the respondent’s age. Thirty-seven percent of respondents are between the ages of 18 and 29, and 39 percent are between 30 and 40 years of age. Pie Chart 1. Respondent’s age range

As shown in Pie Chart 2, 19 percent of respondents have between 5 and 10 years of experience, and almost half (45 percent) of respondents have between 11 and 20 years of experience. Pie Chart 2. Years of experience in hacking and/or IT security activities such as penetration testing

37%

39%

15%

9%

Between 18 and 29

Between 30 and 40

Between 41 and 50

Between 51 and 60

2%

19%

45%

25%

9%

Less than 5

Between 5 and 10

Between 11 and 20

Between 21 and 30

More than 30


Eighty-four percent of respondents are male and 16 percent are female. Pie Chart 3. Gender

As shown in Pie Chart 4, 27 percent of respondents reported their employment status as freelancer, 14 percent are employed by a consulting firm, and 13 percent are employed by IT products firms, and another 23 percent are employed by IT departments within a commercial entity. Pie Chart 4. Employment status

84%

16% Male

Female

27%

14%

13%

13%

12%

11%

6% 3% 1% Freelancer

Employed by consulting firm

Employed by IT products firm

Employed by IT department within a commercial entity Employed by IT services firm

Employed by government entity

Member of the armed forces (military)

Presently not employed

Retired


Part 4. Caveats to this study There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys: ! Non-response bias: The current findings are based on a sample of survey returns. We sent

surveys to a representative sample of individuals, resulting in a number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the survey.

! Sampling frame bias: The accuracy is based on contact information and the degree to which

the list is representative of individuals who are white and black hat attackers located in the United States, United Kingdom and Germany. We also acknowledge that the results may be biased by external events, such as media coverage. Finally, because we used a web-based collection method, it is possible that non-web responses by mailed survey or telephone call would result in a different pattern of findings.

! Self-reported results: The quality of survey research is based on the integrity of confidential

responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide accurate responses.

Flipping the Economics of Attacks - polyscope.ch · employed security analysts. Our analysis...

Documents

Transcript of Flipping the Economics of Attacks - polyscope.ch · employed security analysts. Our analysis...